Ask HN: Can I safely run a made-in-China Single Board Computer as my firewall?

6 points

3 years ago

I want to run a single board computer as my firewall (Internet -> Modem -> SBC -> Router). I bought a Nano Pi R4S because its hardware specs seem perfect for this use case. By default it runs on an insecure fork of OpenWRT called FriendlyWRT, but it's possible to run OpenWRT mainline on it, as well as DietPi.

Assuming I successfully flash a mainline kernel onto the device, how can I trust it's still not doing something nefarious? Is it possible to "secure boot" without a trusted compute module? Or at the very least, can I verify the running kernel is the one I expect to be running?

Some other ideas I had:

- Buy a device that isn't made in China. Unfortunately the options are slim, if I want a passively-cooled dual gigabit device with multiple cores and a few GB of RAM. But there are some appealing options, like H3+ from ODroid (South Korea) and STAR64 from Pine64 (which is RISC-V and also out-of-stock). I also considered some rootable Mikrotik devices (Europe), but they don't seem powerful enough to run WireGuard efficiently.

- Monitor outgoing traffic from the SBC by adding a switch between it and the modem, with port mirroring to a monitoring device. This wouldn't eliminate risk but it would at least give me some peace of mind.

Is anyone running a setup like this? How do you stay secure?

It's crazy how hard it is to find a dual nic, passively cooled single board computer that's manufactured in a trustworthy country. There are some options that look appealing at first glance, like Orange Pi, Banana Pi, Visionfive2... but when you look more closely, things are so sketchy; there are three different Orange Pi websites, one at .org, .net and .com... all with different links in their footer! Even Visionfive2 is "open hardware," but the first step is downloading some blob from Baidu drive.